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Abstract 

A new protocol for 1-2 (String) Oblivious Transfer is proposed. The protocol uses 
5 rounds of message exchange. 
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1 Introduction 

During a 1-2 (String) Oblivious Transfer protocol, Bob should learn one of two bit strings 
provided by Alice, but not both, while Alice should not learn anything about Bob's choice. 

A protocol fulfilling these constraints would be a powerful cryptographic primitive 
(cf. [3] for an introduction to the subject). 

In this article, we propose a protocol that uses 5 rounds of message exchange. 
Since most of the computational part of the protocol takes place in the unit group of 
a finite field, we further investigate the question whether Alice or Bob can gain more 
information, if it turns out that the computation of discrete logarithms in this group is 
easy. 

2 The Protocol 

Initialisation: Before the actual start of the protocol Alice and Bob agree on a positive 
integer n 6 N, a prime p of size ~ 2 v/nlogn , a random matrix C = (cy)^j G Fp XTL , 
i, j = 1,...n, a cryptographic Hash- Function hi : F p — > {0,1 } q and an injective 
(polynomial-time computable) One- Way-Function h-2 : {0,1 } q — > {0,1 } q , for integers q 
and q'. Here, F p denotes the finite field with p elements. 

Round 1: Alice starts by choosing n random bits t-|,...,t n , two distinct random 
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elements a, b G F p , with a 7^ — Cy 7^ b for i, ) = 1 , . . . ,n, two distinct random elements 
<*a, a b e °f or der p — 1 (i.e. each of these elements is a generator of the unit group 
Fp := F p — {0}) and two random permutations o" a , o"b on the set {!,..., n}. She then 
computes, for j = 1 , . . . , n, 

n n 

^a:=cc m n( a + c ij) ti and ^,b:=< ,(j) ri( b+c ij) ti w 

i=1 i=1 
and sends ((pj >a )j, (l-4,b)j) to Bob. 

Round 2: Bob chooses u random bits Si , . . . , s n . He computes 

n n 
TA.a^n^a and T A,b := nJJ b (2) 

and sends (TA, a ,TA,b) to Alice. 

Round 3: Alice chooses two (random) bit strings m a , rat, of size q (the messages) and 
computes z a := H2(m a ) and z b := h.2(m.b). She then computes, for k = 1 , . . . UIU_1 1 
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Sk.a := b-i (a~ k T A ,a) © ttLq and Sk,b := h-i (a b k T A) b) © nib, (3) 

where © denotes the XOR-function, and sends ((sk, Q )k, (sk,b)k, o.,b,z a ,z\,) to Bob. 

Round 4: Bob chooses a random element (3 G Fp of order p — 1 , a random per- 
mutaion p on the set {!,..., n} and an element d G {a, b}. He then computes, for 
i = 1, . . . ,n, 

^:=(3 p(1) n(d + c t)j ) s i (4) 

and sends ("Vi)i to Alice. 
Round 5: Alice computes 

TB:=n-vf ( 5 ) 
i=1 

and sends Tb to Bob. 

Finally, Bob computes for r = 1 , . . . , n ^ - the list ((3~ r TB) r until he finds tq and ko such 
that h-2(h-i ((3 _r °TB) © s^^) = z^, which gives him the message = h-|(|3~ r °TB) © s^^- 
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3 Analysis 



The following theorem states the correctness of the protocol and (roughly) counts the 
computational cost for both sides (for simplicity, we count addition and multiplication in 
Fp as one elementary operation and leave aside the randomized selection process). 

Theorem 1 At the end of the protocol, Bob is in possession of the message he asked for. 
The computational cost for Alice equals 0(n 2 • (cost of hi)) elementary operations, while 
on Bob's side it sums up to 0(n 2 • (cost of hi) + n 4 • (cost of h.2)). 

Proof. The first statement of the theorem is easily seen to be true, since 

TL 

tA,d=«d ri( d + c ^ ttsi ( g ) 

y=i 

and respectively 

TB = (3 T ' Iltd + Cy)^, W 
i,j=l 

with d G {a,b} and 1 ^ k',r' ^ n(n — 1)/2. The calculation of the computational cost is 
straightforward. □ 

We now turn to the two fundamental questions for this protocol. For this, we de- 
fine the function f(tj) := Oi^y + c i,j) tiS '- It is clear that, for d € {a,b}, the knowledge of 
f(d) leads to the knowledge of the message m^. 

Ql: Can Alice efficiently decide whether Bob chose d = a? 

Q2: Can Bob, who knows f (d), efficiently compute f (a + b — d)? 

So far, the author of this article is not aware of any polynomial time algorithm 
that would answer one of these questions with "yes" . 

In the following we shall see that even the ability to efficiently compute discrete 
logarithms in Fp does not seem to help much. 

So, from now on we will assume that Alice and Bob can compute discrete loga- 
rithms in Fp efficiently. To start with Bob (i.e. Q2) it is easily seen that the knowledge 
of Alice's secret bits ti , . . . , t n immediately gives him both messages m a and m-b (he can 
compute f(a) and f(b)). To get these bits, Bob can choose a generator g of the group Fp 
and try to solve the equation (cf. (JSJ)) 

xiSg(vi) H hx n 6 g (v n ) = 6 g (T B ) mod p - 1, (8) 
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where Sg(-) denotes the discrete logarithm function with respect to g. Since there are 
2 n ways to select the values of the Xt's, there are, heuristcally speaking, approximately 
2 n-io g p ^ 2 n ( 1 -V 1 °g n / n ) solutions to equation ©. Now suppose that Bob knows f (a). He 
then can compute oc£ , with an unknown positive integer k' ^ n(n— 1 )/2. Suppose further 
that he somehow manages to determine <x a (or at least a list of possible candidates for 
ot a ). Since gcd(6 q (<x a ),p — 1) = 1 this leads (cf. ([1])) in general to the following 

Challenge 1 Given n £ N, a prime p of size ~ a matrix (eyj^.-j n with 

integer coefficients and a list of integers (fj)i=i ... m compute x-j, . . . ,x n , with Xt 6 {0, 1}, 
and a permutation n on the set {1 , . . . , n} such that 

x-ie^i + . . . + x n ei )TL + 7t(1) = f i mod p - 1 
x-| e 2 ,i + . . . + x n e 2t n + 7t(2) = f 2 mod p — 1 

xi e n) i + . . . + x n e n)Tl + 7t(u) = f n mod p — 1 . 

Again, the author of these lines is not aware of any efficient method that solves this 
challenge. 

Now, Alice's story (Ql) is pretty much the same. In the end, Alice finds herself 
confronted with a decision version of Challenge HJ but as is easily seen, an algorithm that 
can decide in polynomial time whether a solution exists can also be used to efficiently 
compute a solution. 
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